AuthAnvil Windows Credential Provider Install Guide

The AuthAnvil Two Factor Auth Windows Credential Provideroffers companies the ability to add strong two-factor authentication to Microsofts Windows client and server operating systems. It provides a simple and consistent logon experience no matter if they logon at the local desktop or through a terminal session. And it offers identity assurance by requiring users to provide their AuthAnvil Two Factor Auth passcode during the logon process.

Supported Platforms

The AuthAnvil Two Factor Auth Windows Credential Provider is available for the following platforms:

Windows Server 2008, 2008 R2, 2012, 2012 Essentials, 2012 R2

Small Business Server 2008, 2011

Small Business Server Essentials 2011

Essential Business Server 2008

Vista, Windows 7 and Windows 8, Windows 8.1

Windows 2008, 2008 R2 and 2012 Terminal Server

Windows Server 2008 R2 Core

Hyper-V Server 2008

Note: This agent does not support Windows 10.Note: As of April2014 Windows XP is no longer being supported.Note: As of July 2015 Server 2003 is no longer being supported.

Prerequisites

The following software must be installed before the Windows Credential Providercan be installed.

NoteE: These must be installed manually on 64-bit machines before installing the Windows Credential Provideras there is no prerequisite checking available. Installing the Windows Credential Provider without the prerequisites installed will leave the machine unable to successfully log in, and require the Credential Providerto be removed using the Emergency Uninstall Procedure

.NET Framework 2.0 or later (Not required for Server Core and Hyper-V)

Microsoft Visual C++ 2008 Runtimes (MSVC++ 9.0)

MSXML 6.0

Installation

Scorpion Software offers two different agents for Windows Logon. These include:

Windows Logon Agent Sometimes called a GINA extension. Provides strong authentication for Windows Server 2003 systems. This is available in the AAWinLogon.exe installation file.

Installation Steps

Review the license agreement and when satisfied enable the I Agree checkbox and click Next.

Enter the AuthAnvil Two Factor Auth Web Service URL. The installer default is http://localhost/authanvil/SAS.asmx. Use a Fully Qualified Domain Name (FQDN) address with SSL if possible. ie. https://authserver/authanvil/SAS.asmx.Note: The SSL certificate of the AuthAnvil Two Factor Auth SAS MUST be trusted by the target system where the agent is being installed.

Enter the AuthAnvil Two Factor Auth Site ID. This will typically be set to 1 unless your AuthAnvil Two Factor Auth server is not on premise and is being hosted in the cloud by a managed service provider (MSP).

Click Next.

Accept the default Override Group (Two Factor AuthOverride), or enter your own. Please note you will need to create this universal Security Group in Active Directory if it does not already exist.

Enter an Override Password and confirm.Note: If you leave the Override Password blank, this override feature will be disabled and you will not be able to use it.

Click Next.

When the installation completes, it will ask to reboot onWindows Server 2003 systems. You should do this immediately.

Uninstalling the Windows Logon Agent

You can uninstall the agent by the start menu or Add/Remove Programs in the control panel.

Note: For Windows XP and Windows Server 2003 systems, the installer will ask to restart the system after uninstall. So be certain that a system restart will not affect any other network resources or staff prior to doing so.

Configuration Notes

During installation the wizard offers four separate configuration options that get stored in the registry:

AuthAnvil Two Factor Auth SAS Site ID The site number of the AuthAnvil Two Factor Auth SAS. Typically set to 1.

Active Directory Override Group The Active Directory Security Group that can override the need to provide an AuthAnvil Two Factor Auth passcode during login.

Global Password Override The local machine master password that overrides the need for an AuthAnvil Two Factor Auth passcode during login.

The AuthAnvil Two Factor Auth Override Group

By default the Windows Credential Providerenforces strong authentication on all accounts. This means that every account that is presented with the Logon dialog box, where our agent is installed, must present their AuthAnvil Two Factor Auth passcode along with their Windows logon credentials.

There may be times when this isnt desirable for all accounts. In such a case, it is possible to assign a user to a Local or Active Directory Security Group which our agent will honor. If someone is a member of that group, they willnot be required to enter their AuthAnvil Two Factor Auth passcode. They can leave that field blank.

During installation the Active Directory Override Group is defined by the by the person running the installer. It is the responsibility of the Local or Domain administrator to create this Security Group and assign users as required by their corporate security policy if you wish to use this feature.

The AuthAnvil Two Factor Auth Override Password

There are times when it may be required to bypass AuthAnvil Two Factor Auth to log in. Some examples may include:

Times when the AuthAnvil Two Factor Auth Web Service is not accessible

Times when an AuthAnvil Two Factor Auth token is not present and an immediate login is required

Times when an administrators token is locked and they need access to the server

When this occurs, it is possible to override the requirement to present an AuthAnvil Two Factor Auth passcode and use an override password. This should only be used inextreme situations. The misuse of this password could completely bypass AuthAnvil Two Factor Auth, rendering its purpose moot. This password should be known by the least number of people as possible, and shouldimmediately be changed if used.

If you leave it blank during the installation, this feature is made unavailable to all users and administrators.

Note: If an Override Password isnot configured, the only way to login is by using a valid AuthAnvil Two Factor Auth passcode, or be a member of a configured AuthAnvil Two Factor Auth Override Group. You may want to configure this group prior to restarting the system or logging off.

Enabling offline caching mode

The Windows Credential Providerhas the ability to work in an offline caching mode, offering strong authentication when the server or workstation is disconnected from the AuthAnvil Two Factor Auth server. A perfect usage scenario would be laptops used in the field that may not yet have an established network connection.

With offline caching mode enabled, AuthAnvil Two Factor Auth servers will deliver a hashed list of the next n passcodes, where n is defined by the AuthAnvil Two Factor Auth SAS. By default the number of returned passcodes is 25, and can be override using the web.config in the authanvil webservice. While offline, the Windows Credential Provider will authenticate to this list, and warn the user to reconnect to an AuthAnvil Two Factor Auth server when there are less than 5 passcodes remaining.

To enable offline caching, you need to either use the silent mode command line switch (see Appendix B) or you can use the AuthAnvil Two Factor Auth Logon Configuration tool in the Control Panel (see Changing Settings After Installation). If you have decided not to install the AuthAnvil Two Factor Auth Logon Configuration tool, you can manually edit the setting in the Registry by following these steps:

Start regedit

Open the HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Software\AuthAnvilLogon hive.

Edit the CacheCredentials value and change it to 1.

Close regedit

Note: There are a few considerations you should be aware of when using the offline caching mode:

In complex environments where AuthAnvil Two Factor Auth credentials may be used for logging into many different systems, you may want to increase the number of passcodes that are cached to ensure synchronization is maintained between the online and offline systems.

Offline caching mode was designed to work with Standard Users who have tokens assigned to their account. Although it will work with grouped, it will only cache thelast member of the group who logged in. So in cases where a different grouped user may log in, the hashed passcode list will never match, and therefore will never be able to authenticate offline to any other grouped user member.

Offline caching mode willnot work with proxied users. When an AuthAnvil Two Factor Auth server authenticates a proxied user, the server that the authentication is delegated to only returns a true/false. It does not return the list of authentication hashes that offline caching mode requires.

This feature is only available on AuthAnvil Two Factor Auth servers running AuthAnvil Two Factor Auth v3.x or newer.

Changing Settings after Installation

If you need to change the AuthAnvil Two Factor Auth configuration settings or the override password, you can do this using the AuthAnvil Two Factor Auth Logon Configuration tool installed to the Control Panel.

If during installation you chosenot to install this tool, you will be forced to manually edit the registry to update settings. Please open a case in the Customer Portal if you need help with this.

Note: If you have configured an installation password, you will need to enter this credential to access this tool from the Control Panel.

Other Settings

The Credential Provider also has a few settings that are not currently exposed through the UI, and cannot be set at install time. These settings must be set by editing the registry, so the standard warnings about editing the registry apply.

Toggle Override Group Behavior: The Override Group behavior can be toggled between the default behavior of allowing the members of the Override Group to log on without a token, and allowing everybody to log on without a token *except* for the members of the Override Group.

To change this, set the key HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Software\AuthAnvilLogon\OverrideGroupRequires2FA to 0 for the default behavior, or to 1 to force members of the Override Group to log on using a token.

Note: If the Override Group does not exist on the local computer or in Active Directory (if domain joined), toggling this function will have no effect.

Do not show tiles for remote sessions (only on Vista, Win 7, Server 2008 and 2008 R2): The Credential Provider can be set to not show the user tiles for remote sessions on the Windows console and Terminal Server Login screens. This protects users privacy by not allowing a terminal services user to know what other users are logged into the system.

To activate this, create a REG_DWORD key of HideRemoteSessions under the HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Software\AuthAnvilLogon registry hive and set it to 1. Delete the key or set it to 0 to revert to the default Credential Provider behavior.